Control-D/Agent SSL Configuration

Control‑D/Agent uses the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, ensuring secure communication between the various Control-D components, such as Control-D Delivery Server and Control-D Mainframe. SSL/TLS secures the communication between distributed systems when you use the File Transfer Client and File Transfer Server utility.

The following procedures describe how configure SSL Security in Control-D/Agent.

Enabling SSL
Changing the Encrypted Password
Generating SSL Certificates

Enabling SSL

This procedure describes how to enable SSL for File Transfer Server Utility with Control-D/Agent, which secures available files for transfer.

Begin

Do the following: Enable SSL on Control-D/Agent File Transfer Client by doing the following:

In the ft_server.config, <INSTALLATION PATH>/config configuration file, set SSL to Yes.
Enable SSL on Control-D File Transfer Server by doing the following:

In the configuration file, ft_server.config, <INSTALLATION PATH>/config set SSL to Yes.
For each field, define the required parameters, as described in Control-D/Agent SSL Configuration Parameters.

SSL/TLS protocol is now enabled on Control-D/Agent

Control-D/Agent SSL Configuration Parameters

The following table describes the ctdagent.ssl.properties configuration parameters.

Parameter	Description
KeystorePassword	Determines the encrypted password required to open the keystore file, which stores the certificate and other SSL information.
KeystoreFile	Defines the file path to the keystore file. Default: ctdagent.keystore
KeyManagerFactory	(Optional) You must set the value to IbmX509. when Control-D/Agent runs with IBM Java, such as AIX. Default: SunX509 In the ctdagent.ssl.properties configuration file, remove the # at the beginning of the line containing IbmX509 and add # to the beginning of the line containing SunX509.

Parameter

Description

KeystorePassword

Determines the encrypted password required to open the keystore file, which stores the certificate and other SSL information.

KeystoreFile

Defines the file path to the keystore file.

Default: ctdagent.keystore

KeyManagerFactory

(Optional) You must set the value to IbmX509. when Control-D/Agent runs with IBM Java, such as AIX.

Default: SunX509

In the ctdagent.ssl.properties configuration file, remove the # at the beginning of the line containing IbmX509 and add # to the beginning of the line containing SunX509.

Changing the Encrypted Password

This procedure describes how to change the encrypted KeystorePassword, which enhances security.

Begin

From the <INSTALLATION PATH>/bin directory, type one of the following commands:
- UNIX: bmc-ctd-ssl-changepass
- Windows: bmc-ctd-ssl-changepass.bat
Update the ctdagent.ssl.properties configuration file. by typing a new password.

The password is encrypted.

Generating SSL Certificates

This procedure describes how to generate SSL Certificates for Control-D/Agent.

You must use the same password when you configure the Control-D/Agent SSL settings, for the keystore password.

Create the ctdagent.keystore file and export or import a private/public key.

On Windows, you must run the Java keytool utility from the following folder:

<INSTALLATION PATH>\JRE\bin.
Run the Java keytool utility with the following command:

keytool -genkey -alias ctdagent -keystore <keystore_file_path> -storepass <keystore_password> -keypass <keystore_password> -dname <distinguished_name -keyalg rsa/dsa>

keytool -genkey -alias ctdagent -keystore ctdagent.keystore -keyalg rsa -storepass ctdagentpass -keypass ctdagentpass -dname "C=IS, ST=Texas, L=Houston, O=bmc, OU=MSM, CN=ctdagent"

You must use the same password for storepass and keypass.
Export a CSR (Certificate Signing request) from keystore to sign it.

Run the keytool utility with the following command:

keytool -certreq -alias ctdagent -keystore <keystore_file_path> -storepass <keystore_password> -file <certfilename.crs>

keytool -certreq -alias ctdagent -keystore ctdagent.keystore -storepass ctdagentpass -file ctdagentCert.crs
Use a private or commercial trusted CA to sign the certificate to process the CSR.
Import a CA certificate into the keystore.

Run the keytool utility with the following command

keytool -import -alias <alias_for_the_CA_entry> -keystore <keystore_file_path> -storepass <keystore_password> -file <cacert.pem>

keytool -import -alias systemca -keystore ctdagent.keystore -storepass ctdagentpass -file new_ca.pem
Import the intermediate certificate when the CA contains one.
Import a signed certificate into the keystore.

Run the keytool utility with the following command:

keytool -import -alias<alias_for_the_key_entry> -keystore <keystore_file_path> -storepass <keystore_password> -file <certfilename>.der

The signed certificate must be in X.509 DER format.

keytool -import -alias ctdagent -keystore ctdagent.keystore -storepass ctdagentpass -file ctdagentCert.der